Data processing addendum

Effective August 8, 2023

This Data Processing Addendum (“DPA”) applies whenever it is incorporated by reference into the Master Services Agreement (“Agreement”) between you and Code42.  Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement or Data Protection Laws.

1. Purpose and scope

To provide the Offerings to you under the Agreement, Code42 Processes Customer Data on your behalf and Customer Data may include Personal Data.  This DPA reflects the parties’ agreement relating to the Processing of Personal Data in accordance with the requirements of Data Protection Laws.  This DPA will control in the event of any conflict with the Agreement.

2. Definitions

2.1 “CCPA” means the California Consumer Privacy Act of 2018 (California Civil Code sections 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020, and its implementing regulations.

2.2 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.

2.3 Data Protection Laws” means any applicable data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the applicable laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states.

2.4  Data Subject” means the person to whom Personal Data relates.

2.5 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.

2.6  Personal Data” means any Customer Data that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, to an identified or identifiable person.

2.7  Processing”, “Processes” or “Process” means any operation or set of operations performed upon Personal Data whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

2.8  "Processor" means the entity that Processes Personal Data on behalf of the Data Controller.

2.9  Standard Contractual Clauses” means the controller to processor standard contractual clauses for transfers of personal data to third countries which do not show an adequate level of data protection as approved by the European Commission decision 2021/914, dated 4 June 2021, incorporated herein by reference.

2.10  Sub-processor” means Code42’s Affiliates or other third-party service providers that Process Personal Data for Code42.

3. Processing of Personal Data

3.1  Data Processing Roles.  As between you and Code42, you are the Controller and Code42 is the Processor.  You control the categories of Data Subjects and Personal Data Processed under the Agreement and provide such Personal Data to Code42 for business purposes only.  Code42 has no knowledge of, or control over, the Personal Data that you provide for Processing.  You are solely responsible for the accuracy, quality, and legality of the Personal Data and the means by which you acquired such Personal Data.

3.2  Personal Data Processing. Code42 will Process Personal Data in accordance with the Agreement (including all documents incorporated in the Agreement), and to comply with other reasonable and mutually agreed upon instructions you provide to Code42. Code42 will inform you if, in Code42’s opinion, your instructions violate Data Protection Laws. Code42 will not (a) sell or share Personal Data, (b) collect, retain, use, or disclose Personal Data for any purpose other than for the specific business purpose set forth in the Agreement, including retaining, using or disclosing Personal Data for a commercial purpose other than the purposes specified in the Agreement or as otherwise permitted by Data Protection Laws, (c) combine Personal Data that Code42 Processes under the Agreement with any other personal data it collects or receives outside of Code42’s relationship with you, other than as permitted under Data Protection Laws. Code42 will comply with all applicable provisions of Data Protection Laws in its Processing of Personal Data, including by providing the same level of privacy protection as required by Data Protection Laws. You have the right to take reasonable and appropriate steps (as outlined in Section 6.6 (Customer Audits) of this DPA) to verify that Code42’s Processing of Personal Data is consistent with Data Protection Laws. You also have the right, upon written notice to Code42, to take reasonable steps to stop and remediate unauthorized use of Personal Data by Code42. Code42 will notify you if it makes a determination that it can no longer meet its obligations under Data Protection Laws.

 

4. Rights of Data Subjects

4.1  Correction, Blocking and Deletion.  If you do not have the ability to amend, block, or delete Personal Data as required by Data Protections Laws, you can provide written instructions to Code42 to act on your behalf.  Code42 will follow your instructions to the extent technically feasible and legally permissible. You will pay Code42’s costs of providing this assistance if the assistance exceeds the services provided under the Agreement.

4.2  Data Subject Requests.  If permitted, Code42 will promptly notify you of any request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data.  Code42 will not respond to any Data Subject request without your prior written consent, except to confirm that the request relates to you.

4.3  Cooperation and Assistance.  Code42 will assist you to address any request, complaint, notice, or communication you receive relating to Code42’s Processing of Personal Data received from a Data Subject or any applicable data protection authority.  Code42 will also assist you with your reasonable requests for information to confirm compliance with this DPA or to conduct a privacy impact assessment.  You will pay Code42’s costs of providing assistance if the assistance exceeds the services provided under the Agreement.

5. Sub-processors 

5.1  Authorization.  You expressly authorize Code42 to engage Sub-processors to Process Personal Data to enable Code42 to perform specific services under the Agreement. You authorize Code42's use of the Sub-processors listed at: http://code42.com/r/support/dpa-subprocessors (“Sub-processor List”).

5.2 Requirements. Code42 has written agreements with its Sub-processors that contain data protection obligations substantially similar to Code42’s obligations under this DPA.  Code42 is liable for any breach of this DPA caused by an act or omission of its Sub-processors.

5.3  Notice and Objection.  Code42 will notify you of the engagement of any new Sub-processor, which the parties agree such notice may be given by Code42 updating the Sub-processor List.  You can subscribe to receive email notification by emailing privacynotices@code42.com with the email address to which you want notification sent.  If you subscribe, Code42 will notify you by email of new Sub-Processors before authorizing such Sub-processor(s) to process Personal Data.  You have a right to reasonably object to Code42’s use of a new Sub-processor by notifying Code42 in writing within 10 business days after Code42 publishes notice of a new Sub-processor. If you do so, Code42 will use reasonable efforts to change the affected Software or Cloud Service, or recommend a commercially reasonable change to your configuration or use of the affected Software or Cloud Service, to avoid Processing of Personal Data by the new Sub-processor.  If Code42 is unable to make or recommend such a change within a reasonable period of time, not to exceed 60 days, you may terminate only the Subscription Term for the Software and Cloud Service that Code42 cannot provide without using the new Sub-processor. You must provide written notice of termination to Code42 in accordance with the Agreement. Code42 will promptly refund you the fees applicable to the unused portion of the Subscription Term for the terminated Software and Cloud Services offering.

6. Security

6.1  Protection of Personal Data. Code42 maintains appropriate administrative, technical and organizational safeguards to protect Personal Data from unauthorized or unlawful Processing, from accidental loss, destruction, or damage.  Code42’s safeguards are described in the Information Security Addendum available at https://support.code42.com/hc/en-us/articles/14827695887383-Information-security-addendum.

6.2  Incident Management and Breach Notification.  Code42 will notify you within 24 hours of becoming aware of a breach of Personal Data. To the extent known, the notice will include (A) a description of the nature of the Personal Data breach, including the categories and approximate number of your Data Subjects concerned and the categories and approximate number of your records concerned; (B) the name and contact details of a Code42 contact point for more information; (C) the measures Code42 is taking to address the breach, including measures to mitigate its possible adverse effects. You can find more information about Code42's incident response procedures in the Information Security Addendum.

6.3 Confidentiality.  Code42 personnel engaged in the Processing of Personal Data are informed about the confidential nature of such Personal Data, receive appropriate training on their responsibilities and are subject to written agreements with confidentiality obligations that survive the termination of their relationship with Code42.

6.4 Limitation of Access.  Code42 ensures that access to Personal Data is limited to those personnel who require access to perform the services under the Agreement.

6.5 Certifications and Audits.  Code42 uses external auditors to verify the adequacy of its security measures.  Such audits are performed at least annually by independent third party security professionals and result in the generation of a confidential audit report (“Audit Report”). Code42’s certifications and Audit Report are described in the Information Security Addendum.

6.6 Customer Audits.  Code42 will provide you a copy of the Audit Report upon request so that you can reasonably verify Code42’s compliance with its obligations under this DPA. To the extent required by Data Protection Laws, Code42 will provide additional information and will allow and contribute to audits.  You will provide written notice to Code42 to request an audit of the procedures relevant to Code42’s Processing of your Personal Data.  The audit must be conducted during normal business hours and cannot unreasonably interfere with Code42’s day-to-day operations.  You will conduct the audit at your own expense and reimburse Code42 for time spent on an on-site audit at Code42’s then current rates.  

7. Return and deletion of Personal Data

Upon termination or expiration of your Subscription Term, or at any time upon your request, Code42 will delete your Personal Data in accordance with the Agreement. Code42 will provide a certificate of deletion upon request. The Software and Cloud Services allow you to retrieve Customer Data at any time prior to the end of a Subscription Term. Providing this functionality through the Software and Cloud Services during the Subscription Term satisfies any obligation of Code42 to return Personal Data.  

8. Cross-border data transfers

8.1 Restricted Transfers. To the extent Code42’s Processing requires the transfer of Personal Data from the European Economic Area (“EEA”), Switzerland and/or the United Kingdom (“UK”) to a third country that does not ensure an adequate level of protection under Data Protection Laws (“Restricted Transfer”), the parties agree that the Standard Contractual Clauses are incorporated into this DPA and apply to the transfer as set forth in Sections 8.2, 8.3 and 8.4 below.

8.2 Transfers from the EEA.  Where the Restricted Transfer is made from the EEA, the Standard Contractual Clauses apply as follows:

(A) Module Two applies where you are the Controller and Code42 is the Processor, and Module Three applies where both you and Code42 are Processors.

(B) Clause 7: The optional docking clause does not apply.

(C) Clause 8.9: The audit described in Clause 8.9 shall be carried out in accordance with Section 6.6 of this DPA.

(D) Clause 9(a): Option 2 (General written authorization) applies and the period for prior notice of changes to our sub-processors is set forth Section 5 of this DPA.

(E) Clause 11(a): The optional language does not apply.

(F) Clause 17: The Parties agree that the governing law shall be the law of Germany.

(G) Annex I of the Standard Contractual Clauses is completed with the information in Schedules A to this DPA. Annex II is completed with the information in Schedule 2 to this DPA, and Annex III is completed with the information in Section 5.1 of this DPA.

8.3 Transfers from Switzerland.  Where the Restricted Transfer is made from Switzerland, the Standard Contractual Clauses apply as modified in Section 8.2 above, except:

(A) Clause 13: The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner if the Restricted Transfer is governed by the Swiss Federal Act on Data Protection (FDAP).

(B) References to ‘Member State’ refer to Switzerland and Data Subjects located in Switzerland may exercise and enforce their rights under the Standard Contractual Clauses in Switzerland.

(C) References to GDPR refer to the FDAP, as amended or replaced.

8.4 Transfers from the UK.  Where the Restricted Transfer is made from the UK, the Standard Contractual Clauses apply as modified in Section 8.2 above, subject to the following:

(A) The International Data Transfer Addendum to the Standard Contractual Clauses (“UK Addendum”) applies and is hereby incorporated by reference.

(B) Clauses 17 and 18: The laws and courts of England and Wales shall govern.

(C) The information provided in this Section 8, Schedule 1 and Schedule 2 provide the information required for completing the UK Addendum.

8.5 APEC Privacy Recognition for Processors.  Code42 has obtained APEC Privacy Recognition for Processors (“PRP”) certification.  Code42 will process Personal Data transferred from the APEC region in accordance with its PRP certification. 

Schedule 1

A. List of Parties

Data exporter:

Name: The data exporter is the customer that is party to the Agreement with Code42 Software, Inc.

Address: The address associate with data exporter’s Code42 account or as otherwise specified in the DPA or Agreement.

Contact details: The contact details associated with the data exporter’s account, or as otherwise specified in the DPA or Agreement.

Activities relevant to the data transferred under the clauses: The activities specified in Section 3 of the DPA

Role (controller/processor): Controller

Data importer:

Name: The data importer is Code42 Software, Inc., a global provider of data security services. 

Address: 100 Washington Avenue S, Suite 2000, Minneapolis, MN 55401, United States.

Contact details: privacy@code42.com.

Activities relevant to the data transferred under the clauses: The activities specified in Section 3 of the DPA.

Role (controller/processor): Processor

B. Description of the transfer

Categories of Data subjects

The categories of data subjects whose personal data may be processed include: data exporter’s employees, consultants, contractors, agents, prospects, customers, vendors, business partners and users authorized to use the Services; employees or contacts of third parties data exporter conducts business with.

Categories of personal data transferred 

The personal data transferred may include the following categories of data: first and last name, employer, professional title, contact information (email, phone number, physical address), username, identification data (IP address, device ID) and any other personal data provided through the services; depending on the data exporter’s endpoint environment and naming conventions, data transferred may include personal data, such as that possibly found in a computer name, user name or file name.

Sensitive data transferred (if appropriate)

The personal data transferred may include sensitive personal data, the extent of which is determined and controlled solely by the data exporter, and which may include: racial or ethnic origin; political opinions, religious or philosophical beliefs; trade-union membership; genetic or biometric data; health data; and data concerning sex-life or sexual orientation. 

Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)

Personal data is transferred in accordance with the data exporter’s instructions as described in Section 3 of the DPA.

Nature of the Processing 

The personal data will be processed for purposes of providing the services as described in the Agreement.The personal data transferred may be subject to the following basic processing activities: cloud based storage, retrieval, erasure or destruction, disclosure by transmission, analysis and any other processing necessary to provide and improve the services pursuant to the Agreement; to provide technical support; and otherwise in accordance with the data exporter’s instructions or to comply with law.  

Purpose(s) of the data transfer and further processing

To provide the Services under the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

The duration of processing will be as specified and in accordance with the published data retention policies under the Agreement.   

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The personal data transferred may be disclosed to sub-processors of data importer solely as permitted by data importer to provide the services to data exporter under the Agreement, a current list of which is available at: https://support.code42.com/hc/en-us/articles/14827701351959-Code42-authorized-subprocessors  

C. Competent supervisory authority

The data exporter’s competent supervisory authority will be determined in accordance with the General Data Protection Regulation.

Schedule 2

Code42 will maintain administrative, technical and organisational security measures for protection of the security, confidentiality and integrity of Customer Data, including Personal Data, as set forth in the Information Security Addendum available at: https://support.code42.com/hc/en-us/articles/14827695887383-Information-security-addendum.